SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Threat Hunters from Infocyte and SANS will discuss how to adapt Digital Forensics & Incident Response (DFIR) techniques to scalably and proactively hunt for unknown threats across an entire enterprise network. This approach is called Forensic State Analysis (FSA). Ultimately, FSA arms hunters with an effective and efficient methodology to hunt without relying solely on sophisticated security infrastructure, sensors, or big data. Register: http://www.sans.org/info/193622
***************************************************************************

TOP OF THE NEWS

The FBI has issued a private industry warning that attackers are targeting anonymous file transfer protocol (FTP) servers in the healthcare industry. The attackers appear to be seeking protected health information (PHI) and personally identifiable information (PII). The FBI recommends that healthcare organizations check their networks for FTP servers running in anonymous mode, and if they have a reason for operating those servers, to ensure that they do not hold PHI or PII.
[Editor Comments]
[Pescatore] The FBI warning focuses on the data breach risks of having anonymous FTP services in use on your network. Equally important these days is the risk anonymous FTP raises of attackers inserting illegal or embarrassing content on those servers and then either involving your company in illegal activities or threatening to expose your hosting of the content unless extortion payments are made. Don't leave anonymous FTP servers active just because they are not hosting sensitive info.
[Henry] Attacks against the healthcare industry have been on the rise for the past several years. The value of HPI data to criminals and, additionally, the value of this very personal information to nation-states who may use it to build "dossiers" on people they may try to compromise, has increased this information as a target. Add to that the increased "healthcare target space," in terms of more organizations pushing this data to the network, and increased medical IoT devices collecting/storing/transmitting this sensitive information, and you've got a recipe for significant exploitation.
Read more in:
Dark Reading: FBI: Attackers Targeting Anonymous FTP Servers in Healthcare http://www.darkreading.com/attacks-breaches/fbi-attackers-targeting-anonymous-ftp-servers-in-healthcare/d/d-id/1328496?
FBI: Cyber Criminals Targeting FTP Servers to Compromise protected Health Information (PDF) https://info.publicintelligence.net/FBI-PHI-FTP.pdf

Police Recommend Prosecuting vDOS Suspects
(March 27, 2017)

Israeli police are recommending that authorities indict and prosecute two men who allegedly operated vDOS, a distributed denial-of-service (DDoS) attack service. The police are recommending that the pair be charged with computer fraud and extortion.
Read more in:
KrebsOnSecurity: Alleged vDOS Owners Poised to Stand Trial https://krebsonsecurity.com/2017/03/alleged-vdos-owners-poised-to-stand-trial/

Germany Blocked Attacks from Russian Hacking Group Last Year
(March 24, 2017)

A German official said that experts in that country fended off two cyberattacks last year from a group known as APT28, which is believed to be behind attacks that targeted Hillary Clinton's presidential campaign last year. Arne Schoenbohm, president of Germany's federal office for Information Security (BSI), said that one of the attacks tried to create a phony Internet domain for Chancellor Angela Merkel; the other was a phishing attack against German legislators.
Read more in:
NYT: Germany Blocked Russian Hacking Attacks in 2016 https://www.nytimes.com/reuters/2017/03/24/world/europe/24reuters-germany-elections-russia.html

The Cybersecurity Disclosure Act of 2017, a bill introduced in the US Senate, would require publicly traded companies to disclose to regulators whether they have board members with cybersecurity expertise. While the legislation does not require companies to have a board member with cybersecurity expertise, it does require the companies that do not have such a board member to explain why it is not necessary based on other precautions they have taken. One of the bill's sponsors, Senator Jack Reed (D-Rhode Island) said, "Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight."
[Editor Comments]
[Williams] This is an interesting proposal, but there are questions about what will constitute "cyber expertise." The proposed bill states that the NIST NICE Cybersecurity Workforce Framework, currently in draft form, will be used to define what constitutes "expertise." If this bill becomes law, the NICE CWF will be increasingly important. Organizations may wish to familiarize themselves with the draft standard now.
NICE Cybersecurity Workforce Framework (PDF): http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf
Read more in:
GovInfoSecurity: Bill Would Compel Firms to Say If CyberSec Expert Sits on Board http://www.govinfosecurity.com/bill-would-compel-firms-to-say-if-cybersec-expert-sits-on-board-a-9776